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Abstract 

We  consider  three  kinds  of  mathematical  objects  which  can  be  designated  as  the  "meaning'' 
or  "semantics"  of  programs:  binary  relations  between  initial  and  final  states,  binary  relations  on 
predicates  (partial  correctness  semantics),  and  functionals  from  predicates  to  predicates  (predicate 
transformers).  We  exhibit  various  formal  specification  mechanisms:  induction  on  program  syntax, 
axioms,  and  deductive  systems.  We  show  that  each  kind  of  semantics  can  be  specified  by  several 
different  mechanisms.  As  long  as  arbitrary  predicates  on  states  are  permitted,  each  kind  of 
semantics  uniquely  determines  the  others  - with  the  sole  exception  of  the  weakest  pre-condition 
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I Introduction 

Our  atm  in  thu  paper  is  to  clarify  the  characteristics  of  a proper  specification  of 
programming  language  semantics.  We  illustrate  alternative  specifications  of  several  different  kinds 
of  semantical  objects  and  examine  the  extent  to  which  these  different  semantics  capture  the  same 
information  about  programs. 

Hoare  and  Lauer  [1974]  have  advocated  using  a variety  of  styles  of  programming  language 
definitions  to  fit  the  variety  of  users  from  implementers  to  program  verifiers.  They  consider  the 
question  of  whether  different  specifications  determine  the  same  language  by  showing  that  the 
specifications  are  what  they  call  "consistent"  However,  their  treatment  skirts  the  question  of 
whether  the  specifications  can  each  be  taken  to  determine  the  language  adequately 1 Although,  as 
we  will  show,  any  one  of  the  kinds  of  semantical  specifications  they  discuss  --  operational 
definitions,  relational  "theories."  and  partial  correctness  assertions  --  can  be  used  to  determine 
meaning  uniquely.  Hoare  and  Lauer  do  not  make  the  case  in  their  paper  In  fact,  both  their 
relational  and  partial  correctness  specifications  are  satisfied  by  several  different  semantics,  only  one 
of  which  is  desired 

We  basically  agree  with  Hoare  and  Lauer  that  alternate  specifications  can  and  should  be 
given,  but  feel  that  the  difficulties  noted  above  indicate  the  need  for  more  careful  attention. 
Additional  pitfalls  which  we  attempt  to  avoid  include  confusion  between  the  mathematical  object 
which  is  designated  to  be  the  meaning  of  a program  and  methods  for  specifying  that  object; 
confusion  between  consistency  and  equivalence  of  two  definitions;  between  completeness  of  a theory 
and  its  having  a unique  model  While  these  issues  are  familiar  in  mathematical  logic,  we  take  this 
opportunity  to  survey  them  in  the  context  of  the  programming  language  semantics  of  a trivial  class 
of  wMe-programs  Because  these  programs  are  trivial,  none  of  the  challenging  research  problems 
concerned  with  explaining  how  complex  programs  behave,  or  what  they  "mean,"  can  arise.  This 
allows  us  to  focus  more  clearly  on  the  way  in  which  the  semantics  are  specified,  without  being 
distracted  by  any  difficulty  in  understanding  what  that  semantics  may  be 

Of  particular  interest  to  us  is  the  thesis  that  a programming  language  semantics  can  be 
specified  by  giving  all  the  "before-after"  assertions  true  of  progtams  In  the  language  This  thesis 
appears  first  to  have  been  put  forward  by  the  title  of  Floyd’s  seminal  paper  [1967]  Hoare  and 
Wirth  [1973]  carried  out  the  first  serious  attempt  to  apply  the  thesis  in  practice  by  specifying  the 
semantics  of  a substantial  fragment  of  the  programming  language  PASCAL  in  this  way.  More 
recently,  Dijkstra  has  advocated  a similar  approach  to  explaining  semantics  [Dijkstra,  1976,  p 171 

"...we  know  the  possible  performance  of  the  ...  [program  a]  ...  sufficiently  well,  provided  that 
we  ran  derive  for  any  post -eondi lion  ...  [t>]  ...  the  corresponding  weakest  pre-condition  ... 
[•epa(OI]  because  then  we  have  captured  what  ibe  ...  [program]  ...  ran  do  for  us;  and  in  the 
jargon  the  latter  is  called  ’its  semantics’." 


In  Sections  2 and  3 we  consider  different  techniques  for  specifying  the  input-output  behavior, 
i.e..  relational  semantics,  of  programs.  In  Sections  4 and  5 we  analyte  semantics  based  on  sets  of 
partial  correctness  assertions  and  weakest  pre-conditions 
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Since  most  of  the  proofs  are  entirely  routine,  we  have  postponed  them  to  appendices. 
Nevertheless,  for  completeness  most  of  the  proofs  are  given. 

This  paper  can  be  read  without  prior  familiarity  with  Hoare  and  Lauer’s  paper. 


2.  The  Programming  Language  and  Meanings  for  It 
2.1  WAi/«-Programs 

Following  Hoare  and  Lauer,  we  examine  alternative  specifications  of  the  meaning  of  a trivial 
programming  language  with  primitive  statements,  while  statements,  and  statement  lists.  The  syntax, 
omitting  details  of  the  form  of  predicate  expressions  is  as  follows: 

<program>  primitive  statement  | <while  statement  | 

<program>;<program>  | NOP 

<while  statement  while  predicate  expression>  do  <program> 

As  is  usual  with  abstract  syntax,  we  will  not  concern  ourselves  with  ambiguity  in  parsing  or  with 
detailed  syntax  of  expressions  and  primitive  statements. 

We  assume  that  programs  run  on  machines  with  states.  We  treat  the  states  simply  as  abstract 
elements  in  some  fixed  set  S,  ignoring  their  internal  structure.  In  many  familiar  examples  primitive 
statements  define  total  functions  from  states  to  states,  but  we  need  not  make  this  assumption. 
Primitive  statements  may  be  partial,  i.e.  for  some  state  s there  may  be  no  related  state,  and 
nonfunctional 2,  i.e.  for  some  states  s there  may  be  more  than  one  related  state.  A primitive 
statement,  A,  thus  has  an  effect  on  states  which  can  be  defined  by  giving  an  initial-state,  final-state 
relation  R^  c SxS  such  that  (s,  s')  € R^  iff  A executed  in  s can  terminate  in  state  s'. 

Example-.  Suppose  that  a state  is  an  assignment  of  values  to  variables  (to  be  thought  of  as  a state 
of  computer  memory  giving  the  contents  of  all  the  registers,  arrays,  etc.),  and  consider  the  primitive 
assignment  statement  choose  u in  U where  u is  a variable  of  some  basic  type  and  V is  a variable 
ranging  over  finite  sets  of  elements  of  the  same  basic  type.  Then  (sj')  e Rc/jwr  u In  U lff 
s{X)  - s'(X)  for  all  variables  X*  u and  s'(u)  e s(U). 

Note  that  R ch005e  u <n  u is  partial  because  s(U)  may  be  empty,  and  is  nonfunctional  because 
s(U)  may  have  more  than  one  element.l 

A predicate  P is  a mapping  from  states  to  truth  values.  Predicate  expressions  p,  q,...  appear 
in  programs.  We  will  use  P,  Q,...,  respectively,  to  denote  the  predicates  corresponding  to  these 
expressions.^  For  simplicity,  we  assume  that  predicate  expressions  always  yield  values,  so  that  the 
predicate  P associated  with  an  expression  p is  true  or  false  at  each  state  and  is  never  undefined. 
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We  use  the  following  notation 

throughout  what  follows: 

a,  6.  c 

programs, 

A 

primitive  statements. 

s.  t 

states  (elements  of  the  set  S of  all  states). 

pq 

predicate  expressions, 

p.Q. 

predicates  on  states, 

L.  M.  R 

binary  relations  on  states  (subsets  of  SxS), 

binary  relations  on  predicates  (subsets  of  2^x2^). 

Each  of  these  letters  may  appear  with  subscripts  or  multiply  primed,  eg.,  jj,  s',  Q_*.  etc. 

2.2  Semantics  and  Specifications 


A semantics  for  a programming  language  is  a mapping  from  programs  to  objects  in  a 
domain  of  meanings  Examples  of  meanings  are  sets  of  state  sequences,  relations  on  slates,  relations 
on  predicates,  and  functionals  on  predicates  (predicate  transformers).  A semantical  specification 
determines  such  a mapping,  or  perhaps  a family  of  acceptable  mappings,  from  programs  to 
meanings.  Thus,  we  do  not  require  that  a specification  determine  semantics  uniquely  For  example, 
in  a typical  specification  error  messages  may  be  left  to  an  implementer's  discretion.  Differing 
implementations  of  error  messages  will  then  correspond  to  differing  semantical  mappings  which 
satisfy  the  specification  (c/  section  15). 

A semantics  is  a mathematical  object,  and  distinctions  among  semantics  can  be  made 
precisely.  In  contrast,  our  classification  of  specification  techniques  is  informal  --  we  do  not  attempt 
to  give  a precise  or  exhaustive  characterization  of  methods  for  specifying  semantics.  Examples  of 
specification  techniques  include  operational  definitions,  inductive  definitions,  axioms,  and  deductive 
systems.  It  should  be  clear  by  example  below  what  we  will  mean  by  the  last  three.  Loosely,  what 
we  mean  by  an  operational  definition  is  one  which  has  a computational  flavor  reflecting  the  step 
by  step  execution  of  programs.  Operational  definitions  are  not  considered  in  this  paper.  Two 
examples  appear  in  Hoare  and  Lauer’s  paper  in  their  "interpretive"  and  ’computational" 
definitions.  In  particular,  their  interpretive  definition  is  an  abstract  machine  which  can  execute 
program  steps. 

A semantics  can  also  have  a computational  flavor.  An  example  is  a mapping  of  programs 
into  sets  of  state  sequences,  where  each  sequence  consists  of  the  successive  states  which  are  reached 
during  execution  of  the  program.  The  second  "computational"  definition  in  the  Hoare  and  Lauer 
paper  is  of  just  this  semantics. 
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We  note  that  such  an  'operational'  semantics  need  not  be  specified  operationally.  In  fact,  we 
can  easily  write  a concise  inductive  specification  of  this  semantics  for  our  language.  Each  program 
a is  mapped  into  the  set  of  state  sequences  (or  trajectories)  Tra.  We  assume  that  the  initial-state, 
final-state  relations,  R of  primitive  programs  A are  given.  The  state  sequence  meaning,  Tr^.  of 
A is  the  set  of  sequences  ss'  such  that  (sj')  e R The  state  sequence  meanings  of  other  programs 
are  defined  by  induction  on  program  structure,  as  follows: 

TRI  Tr tfQp  - {is  1 1 * «ate}, 

TR2.  Tra£  - Tra:Trj, 

TR3.  Trwfo/e  p dg  a-  (Trp:Tra)-0:Tr_^,. 

where  Tra:Trb  is  the  set  of  state  sequences  Si-.j^.J}  such  that  Sj...*2  € Tra  ana 
*2- *3  € Trj,  Trp  - { jj  | P(s)},  and  (Tr)1*  - AU  Tr  U Tr:Tr  U ... , where  A is  the  singleton  set 
containing  the  null  sequence  (defined  to  act  as  an  identity  element  under  the  operation).1* 

This  association  of  sets  of  state  sequences  to  programs  is  the  same  as  that  specified  by  Hoare 
and  Lauer,  and  it  clearly  describes  a reasonable  kind  of  'imantics  for  our  language.  To  see  this, 
note  that  NOP  does  not  change  the  state,  and  the  prc^am  a,b  will  follow  a computation  sequence 
s ...  s'  iff  the  program  a started  in  s can  follow  a computation  sequence  s ...  t and  the  psofram  b 
can  follow  t ...  s' . Similarly,  for  while  loops,  if  P(s)  then  s ...  s'  is  a computation  sequence  iff  there 

are  sequences  s ...  j|,  S| ...  j2 ^ - s'  which  are  computations  of  a,  P(jj)  for  all  the  ij,  -’P(s ').  and 

s ...  s'  • s ...  j|  s^  ...  *2  ...  ...  s' s'.  If  ->P(s)  then  while  p do  a acts  like  a NOP  on  s,  that  is.  ss  e 

~^rwhi/e  p do  a- 

Hoare  and  Lauer  show  that  their  two  operational  definitions  are  "consistent"  in  that  both 
define  the  same  standard  relational  semantics,  R,  mapping  program  a to  relation  Ra.  These 
initial-state,  final-state  relations  can  be  defined  as  follows: 

Ra  - {(s,r)  | there  i$  a sequence  s ...  t e Tra). 

Thus  the  standard  relational  semantics  can  be  defined  in  terms  of  the  state  sequence 
semantics.  (Consequently  any  specification  of  the  latter  semantics  indirectly  also  specifies  the 
former.  It  will  accordingly  be  important  to  keep  track  of  which  kind  of  meanings  are  being 
specified  in  any  given  context.  We  illustrate  this  point  further  in  Section  4.4.) 

In  addition  to  considering  how  a specification  determines  a semantics,  we  will  examine  ways 
in  which  differing  semantics  can  determine  one  another.  We  shall  say  that  one  semantical 
mapping  determines  another  iff  any  two  programs  which  are  assigned  the  same  meaning  in  the 
meaning  domain  of  the  first  semantics  are  also  assigned  the  same  meaning  in  the  meaning  domain 
of  the  second  semantics.  Two  semantics  are  equivalent  iff  each  determines  the  other.  Thus,  even  if 
'he  domains  of  meaning  of  two  semantics  consist  of  distinct  kinds  of  mathematical  objects,  it  may  be 
that  the  two  semantics  can  be  considered  equivalent  by  this  definition. 


Equivalent  semantics  make  exactly  the  same  distinctions  among  programs.  Thus  the 
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meaning  of  a program  according  to  one  semantics  uniquely  determines  the  meaning  of  that 
program  according  to  all  equivalent  semantics  From  a mathematical  point  of  view  this  means  that 
equivalent  semantics  provide  exactly  the  same  information  about  programs  Of  course  the  method 
for  transforming  one  meaning  into  another  may  be  laborious  or  otherwise  inconvenient  This  Is 
the  rationale  for  making  available  independent  specifications  of  semantics  which  may  be 
equivalent  A similar  rationale  applies  for  presenting  a variety  of  different  specifications  for  the 
same  semantics 

To  illustrate  these  definitions,  note  that  the  state  sequence  semantics  determines  the  standard 
relational  semantics,  since  Tr„  - Tr^  clearly  implies  Ra  - It  should  also  be  clear  that  they  are 
not  equivalent:  NOP  and  NOP.NOP  are  the  two  most  trivial  programs  with  distinct  state  sequence 
meanings  but  the  same  standard  relational  meaning. 

We  will  show  that  the  standard  partial  correctness  semantics  considered  in  Section  4,  two  out 
of  three  of  the  predicate  transformer  semantics  in  Section  5,  and  the  standard  relational  semantics 
are  equivalent,  but  wp  (Dijkstra's  weakest  pre-condition  predicate  transformer)  and  the  standard 
relational  semantics  are  incomparable,  i.e,  neither  determines  the  other 


3.  Relational  Semantics 

In  thii  section  we  will  consider  several  alternative  specifications  of  the  standard  relational 
semantics,  R,  which  associates  with  each  program  a the  relation  R„  defined  in  Section  2.  More 
generally,  an  arbitrary  relational  semantics  M is  any  mapping  which  assigns  to  each  program  a 
some  relation  Ma  c SxS 


3.1  An  Inductive  Definition 

A simple  definition  of  the  relation  R„  to  be  associated  with  any  program  a can  be  given  by 
induction  on  the  syntax  of  programs,  using  only  familiar  mathematical  operations  on  relations.  In 
order  to  do  this  it  is  convenient  to  define  Rp  for  any  predicate  expression  p to  be  |(s,  s)  | P(j)}.  For 

Rj.  Ro  c SxS.  let  R|*  be  the  reflexive  transitive  closure  of  Rj.  and  RjoRo  the  composition  of  Rj  and 
R2  We  assume  that  relations  R ^ for  each  primitive  statement  A are  given  Then  the  relations 
associated  with  programs  can  be  defined  as  follows: 

Rl.  %NOP  " K5**)  I * c S}  ■ the  identity  on  S. 

R2.  R aj,  - Ra*R>. 

^wMle  p do  a ” ^p*^a^*^->p 

This  specification  is  trivially  derived  from  TRI-3  given  in  Section  2;  obviously  RI-3  specifies 
directly  the  same  standard  relational  semantics  that  TRI-3  specified  indirectly. 
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3.2  Some  Axioms  for  the  Standard  Relational  Semantics 

Hoare  and  Lauer  choose  to  specify  the  standard  relational  semantics  by  giving  a system  of 
axioms  for  statements  of  the  form  "started  in  state  s,  program  a terminates  in  state  s'."  We  shall 
refer  to  such  assertions  as  “transition  assertions',  and  follow  Hoare  and  Lauer  in  using  the  notation 
s(a)s  * to  denote  such  a statement.  Thus. 

Definition  I s (a)s‘  is  true  for  M iff  (s,  s')  e Ma.  where  M is  an  arbitrary  relational  semantics. 
Then  axioms^1  are  as  follows: 


HLI.  s(A)s'  ~ (s,  s')  € R ^ 

HL2.  ' ~ 3r[s(a)r  Ar(6)j'], 

HL3.  s(w/iile  p do  a)s‘  -*  ->P(s'), 

HLI  Vs,,  s2[(QJs,)  A P(s,)  A s,(fl)s2)  - Qis2)]  - 

[(Q$s)  A i(while  p do  a)s')  -»Q^s')J, 

HL5.  s(NOP)s'  ~ s - s'. 

They  go  on  to  prove  that  the  standard  relational  semantics  R is  a model  of  HLI-5,  that  is, 
every  instance  of  HLI-5  is  true  for  R,  so  that  any  conclusion  which  logically  follows  from  these 
axioms  will  be  true  of  the  standard  semantics. 

Of  course  this  meets  only  half  the  requirements  for  specifying  the  semantics,  since  one  must 
also  show  that  any  transition  assertion  which  is  true  of  the  standard  semantics  follows  logically 
from  the  axioms  Unfortunately  HLI-5  do  not  imply  all  the  true,  assertions,  contrary  to  the 
“intuitive  confidence  in  the  completeness  of  the  theory"  expressed  by  Hoare  and  Lauer  [p.  144),  as 
we  now  illustrate. 

We  can  understand  the  significance  of  HLI-5  as  follows.  If  M is  a model  of  HI,  we  can 
conclude  that  M ^ - R^  for  each  atomic  statement  A.  Similarly,  from  HL5  we  conclude  that 
MA/OP  " the  identity  on  S - R NOp,  and  from  HL2  that  Ma.b  - Ma»Mj.  It  follows  that  Ma  - Ra 
for  every  while- free  program  a whenever  M is  a model  of  HLI,  2,  5. 

Now  consider  the  particular  “divergent  loop"  relational  semantics  L defined  as  follows: 

Lfl  - Ra  if  a is  while-free, 

La  - otherwise 

Then  L is  obviously  a model  of  HLI,  2,  5.  But  s(while  p do  a)s'  is  always  false  for  L,  so  HL3-4 
are  true,  vacuously,  for  L.  Hence  L is  also  a model  of  HLI-5. 
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The  divergent  loop  semantics  corresponds  to  in  implementation  In  which  the  interpreter 
simply  loops  unconditionally  whenever  It  starts  to  execute  a while  statement.  S nee  L Is  a model, 
statements  which  logically  follow  from  HLI-5  must  always  be  true  of  this  implementation.  In 
particular,  no  transition  assertion  involving  a program  containing  a uMi/Hoop  follows  from  HLI-5. 
and  so  it  seems  hard  to  imagine  circumstances  in  which  HLI-5  would  serve  as  an  adequate 
characterization  of  the  standard  semantics.  (However,  in  Section  4.4  we  try  to  set  matters  right  by 
Indicating  a sense  in  which  HLI-5  do  in  fact  specify  R.) 

3.3  A Complete  Set  of  Axioms  for  the  Standard  Relational  Semantics 

There  is  no  inherent  obstacle  to  presenting  axioms  in  the  spirit  of  HLI-5  which  correctly  and 
completely  specify  the  Intended  semantics.  Indeed,  adding  two  more  axioms  will  suffice: 

HL6.  -'P(j)  -♦  s(uifille  p do  a)s, 

HL7.  [P(j)  A s(a)s ' A s' (while  p do  a)f]  -*  s(while  p do  a)t. 

It  is  easy  to  verify  that  the  atandard  semantics  is  a model  of  HLI-7.  In  Appendix  A we 

prove: 

Theorem  I:  The  standard  relational  semantics  is  the  only  model  of  HLI-7. 

We  remark  that  HLI-7  can  be  shown  to  be  independent,  i.e..  Theorem  I is  not  true  when  any 
one  of  HLI-7  is  omitted. 

3.1  A Deductive  System  for  the  Standard  Relational  Semantics 

Another,  perhaps  more  straightforward,  way  to  specify  the  standard  relational  semantics  is  to 
give  a system  of  axioms  and  inference  rules  for  deducing  transition  statements.  One  such  system  is: 

Axioms: 

Tl.  s(A)s\ for  all  s,  s'  e S such  that  (s,  s')  e RA, 

T2.  s(NOP)s, 

T3.  s(while  p do  a)s,  for  all  s € S such  that  ->P(s). 

Inference  Rules: 

T4.  s(a)t.  t(b)s'  >-  s(aJ>)j», 

T5.  s(a)t,  t(whlle  p do  a)s'  *-  s(tuhile  p do  a)s',  for  all  s € S such  that  P(j). 


I 


9 


Let  Th(TI-5)  be  the  set  of  transition  statements  provable  from  Tl-3  using  T4-5. 

Lemma  I.  Rfl  - {(j.  s')  \ s(a)s'  6 Th(TI-5)}. 

The  proof,  which  we  omit,  is  a routine  induction  on  the  structure  of  a and  the  number  of 
executions  of  the  body  of  a while- loop.  (C/.  Appendix  E,  however,  for  a similar  proof  for  a more 
general  deductive  system.) 

Thus,  the  deductive  system  Ti-5  specifies  the  same  relational  semantics  as  Rl-3,  and  either 
can  serve  as  the  definitive  specification.  (We  caution  the  reader  not  to  confuse  this  deductive 
specification  of  a relational  semantics,  with  the  deductive  "theory*  of  Hoare  and  Lauer  which  we 
treat  in  Section  4.2  as  a specification  of  a partial  correctness  semantics.) 

The  specification  of  Ra  in  terms  of  Th(TI-5)  given  in  Lemma  I can  be  rephrased  in  terms  of 
familiar  properties  of  deductive  systems.  Namely,  TI-5  is  sound  for  R,  which  means  that  every 
termination  assertion  in  Th(Tl-5)  is  true  for  R,  and  TI-5  is  complete  for  R,  which  means  that  every 
termination  assertion  true  for  R is  in  Th(TI-5).  Thus  we  can  restate  Lemma  1 as 

Theorem  2.  The  set  of  transition  assertions  derivable  in  the  system  TI-5  is  equal  to  the  set  of 
transition  assertions  true  for  the  standard  relational  semantics. 


4.  Partial-Correctness  Specifications  and  Semantics 

Assertions  of  the  form  "if  P holds  before  executing  a,  then  if  and  when  a halts,  Q,  will  hold" 
occur  frequently  when  the  behavior  of  programs  is  being  described.  Such  assertions  are  called 
partial  correctness  assertions  (pea's)  and  are  abbreviated  P{a)Q. 

We  shall  define  a partial  correctness  semantics  for  our  programming  language  to  be  any 
mapping  which  assigns  to  each  program  a some  binary  relation  on  predicates.  Any  relational 
semantics  M naturally  determines  a corresponding  partial  correctness  semantics  which  assigns 
to  program  a the  relation  ../£  consisting  of  those  pairs  (P,  Q)  such  that  P{a)Q,is  true  of  M.6 

We  shall  observe  that  every  relational  semantics  is  equivalent  to  its  associated  partial 
correctness  semantics.  We  give  a complete  deductive  system  for  pea’s  and  an  axiom  system  for 
pea’s.  The  pea’s  will  serve  as  specifications  of  partial  correctness  semantics  as  well  as  specifications 
of  relational  semantics.  The  significance  of  specifications  which  have  many  relational  models  is 
considered,  and  we  analyze  several  such  specifications. 


4.1  The  Standard  Partial  Correctness  Semantics 

4 

Definition  2:  A partial  correctness  assertion  consists  of  a program  a and  a pair  (P,  Q)  of  predicates 
on  states,  and  is  written  "P{a}Q."  The  pair  (P,  Q)  holds  for  a binary  relation,  R,  on  states 
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iff  Vs,  i'[(P(i)  A (j,  j')  € R)  - Qi  j ' )].  P{a)Q,  is  true  for  a relational  semantics  M iff  (P,  Q)  hold* 
for  Ma. 

The  partial  correctness  semantics  Yf  in  which  - {(P,  Q)  | P{a}Q,is  true  for  R}  is  called 
the  standard  partial  correctness  semantics. 

An  arbitrary  relation  .ft on  predicates  also  determines  a relation  on  states  in  a natural  way. 
The  relation  is  the  maximum  relation,  M,  such  that  all  the  pairs  in  hold  for  M.  (That  there 
always  is  such  a maximum  relation  is  shown  in  Appendix  B,  Lemma  Bl.)  The  rationale  for  taking 
this  relation  on  states  to  be  the  one  determined  by  a partial  correctness  semantics  is  nicely  expressed 
by  Schwarz  (1974,  p.  28]: 

“Asserting  a partial  correctness  statement  is  essentially  asserting  that  certain 
environments  are  not  the  results  of  executing  some  command  starting  in  certain 
other  environments. . This  is  a negative  requirement,  it  docs  not  force  any 
environment  to  he  the  result  of  any  execution.  Since  this  is  the  inherent  nature 
of  the  formalism  it  indicates  that  the  proper  kind  of  definition  of  the  semantics 
determined  by  a system  should  have  the  form:  'largest  possible  semantics.’  * 

Definition  3:  Let  be  a binary  relation  on  predicates.  Then 

max(,YS)  - {(s.  t)  | P(s)  - Q (t)  for  all  (P,  Q)  c Jf\. 

We  prove  in  Appendix  B that  max(,Y/)  is  indeed  the  maximum  relation  on  states  for  which 
all  the  pairs  of  predicates  in  ,.  ft  hold.  Moreover,  we  prove 

Lemma  2:  Let  M be  a relational  semantics.  Then  Ma  - max{(P,  Q)  I P{a}Q,is  true  for  M}. 

An  immediate  consequence  of  Lemma  2 is  that  Ra  - max(  tty,  which  implies  that  the 

standard  partial  correctness  semantics  determines  the  standard  relational  semantics.7  The  converse 
determination  follows  by  definition  of  namely,  ^ - {(P,  Q)  | (P,  Q)  holds  for  Ra}.  Thus  we 
have 

Theorem  3.  The  standard  relational  and  standard  partial  correctness  semantics  are  equivalent. 

This  theorem  and  the  underlying  Lemma  2 provide  formal  justification  for  the  thesis  that 
the  initial-state  final-state  behavior  of  programs  can  be  specified  by  the  set  of  pea’s  true  of  the 
programs.® 

4.2  Deducing  Partial  Correctness 

The  standard  partial  correctness  semantics  can,  like  the  standard  relational  semantics,  be 
specified  by  a simple  system  of  axioms  and  inference  rules.  The  notion  of  the  weakest  antecedent, 


24 


II 


[R]Q.  , of  a predicate  Q.  under  a relation  R is  used  in  the  axioms  for  primitive  instructions. 
Informally,  [R)Q,is  the  predicate  on  states  which  is  true  of  a state  s provided  that,  if  and  when  a 
program  with  initial-state,  final-state  relation  R halts  after  being  started  in  s,  the  predicate  will 
necessarily  hold.9 

It  is  worth  emphasizing  that  we  will  keep  to  the  usual  mathematical  conventions  in  the 
vacuous  case,  namely,  if  the  program  does  not  halt  started  in  state  s.  then  [R]Q.ts  true  of  s for  any 
predicate  Q. 

Definition  4.  Let  R be  a binary  relation  on  states.  For  any  predicate  Q.  on  states,  the  weakest 
antecedent  of  Q, under  R is  a predicate,  [R]Q,,  on  states  defined  by 

([RIQXj)  iff  (Vi')l(r^')  € R •*  Q{s')l 

It  follows  immediately  from  Definitions  2 and  4 that  ([Mfl]Q}{a}Q,  is  true  for  any  relational 
semantics  M which  is  why  [Ma]Q_is  called  an  “antecedent"  of  Q. 

We  shall  use  the  notation  "KP  - Q)“  to  mean  that  predicate  P implies  predicate  Q,  that  is, 
Vs(P(s)  - Q Is)).  The  following  lemma  explains  why  [Mfl]Q,is  called  "weakest." 

Lemma  J.  P{a}Qis  true  for  M iff  >»(P  ■*  [Ma]Q). 

The  proof  follows  directly  from  the  definitions  and  is  omitted  (cj.  [Pratt,  1976;  Harel,  Meyer, 
Pratt.  1975;  Schwarz,  1974]). 

The  following  system  is  usually  referred  to  as  the  Floyd-Hoare  system  for  partial  correctness. 
Axioms: 


FH1.  P{A/OP}P, 
FH2.  ([R^QJMJQ., 


Inference  Rules: 

FH3.  P{a}P\P'{*}Cl-P{a.MQ.. 

FH4.  (P  A QJwhi/e  p do  a}(QA  ->  P), 

FH5.  P[alQ.MP  A P')[a}(Q.VQ/). 

Let  Th(FHl-5)  be  the  set  of  pea’s  derivable  from  FHI-2  using  FH3-5.  We  prove  in  Appendix 
C,  that  FHI-5  specifies  the  standard  partial  correctness  semantics.  Formally,  we  can  sate 
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L*mma  4 : - {<P,  Q)  | P{a}q  e Th(FHI-5)|. 

We  have  formulated  Lemma  4 to  emphasize  our  view  of  the  system  FH1-5  as  a specification 
of  a mathematical  object,  namely,  a partial  correctness  semantics  which  turns  out  to  be  the  standard 
one.  As  we  did  earlier  for  termination  assertions  we  can  also  rephrase  Lemma  4 from  the  more 
familiar  viewpoint  that  truth  of  pea's  is  to  be  reckoned  relative  to  the  standard  relational  semantics. 
Then  Lemma  4 means  that  FHI-5  is  a sound  and  complete  deductive  system  for  pea’s,  that  is, 

Theorem  4:  The  set  of  partial  correctness  assertions  derivable  from  FHI-5  is  equal  to  the  set  of 
partial  correctness  assertions  true  for  the  standard  relational  semantics. 

The  system  FHl-4  consisting  of  the  first  four  of  the  Floyd-Hoare  rules  corresponds  to  the 
Deductive  Theory*®  DI-3  of  Hoare  and  Lauer  [p.  146}  The  system  FH1-4  is  not  complete,  but  we 
will  see  in  Section  4.5  that  there  is  a sense  in  which  the  incomplete  system  FHI-4  specifies  the 
standard  relational  semantics.** 


4.3  Axioms  for  Partial  Correctness  Semantics 

Although  a deductive  system  resembling  FHI-5  is  the  more  usual  specification  of  the 
standard  partial  correctness  semantics,  we  can  also  write  an  axiom  system  to  specify  it.  The  axioms 
are  suggested  straightforwardly  by  the  deductive  system. 

PCI.  P|AfO/>Ki«  HP  - Q), 

PC2.  PM)Q_«  HP  -» 

PC3.  P|a;i}Q.~  3P'(P(a}P'  A P'{6}Q), 

rC4.  Qjuihile  p do  a}Q_f  « 3Q.*[  [(P  A A HQ,  - Q_")  A 

H «l"  A -iP)  - Q,')  1 

To  say  how  these  axioms  specify  the  partial  correctness  semantics  we  recall  the  technical 
meaning  of  the  word  model  and  distinguish  two  special  kinds  of  models. 

A mathematical  object  is  said  to  be  a model  for  a set  of  assertions  if  all  the  assertions  are  true 
for  the  object.  We  have  already  used  this  notion  in  Section  3 where  the  objects  were  relational 
semantics  and  the  assertions  were  transition  assertions.  By  Definition  2 we  know  what  it  means  for 
a pea  to  be  true  of  a relational  semantics,  and  hence  we  know  when  a relational  semantics  is  a 
relational  model  for  a set  of  assertions  (such  as  PCI-4)  involving  pea’s.  We  can  also  regard  a pea  as 
making  an  assertion  about  partial  correctness  semantics. 

Definition  5:  P|a)Q,  is  true  for  a partial  correctness  semantics  Jf  iff  (P,  Q)  € A partial 


correctness  semantics  is  a partial  correctness  model  for  an  axiom  system  (such  as  PCI-4)  Iff  it  is  a 
model  for  the  set  of  all  instances  of  those  axioms. 

Note  that  Definitions  2 and  5 are  compatible  in  that  if  M is  any  relational  semantics  and  Jf 
is  the  corresponding  partial  correctness,  then  P{a)Q,is  true  for  M Iff  it  is  true  for  Jf  In  particular 
P{o}Q.has  the  same  truth  value  in  both  the  standard  relational  and  partial  correctness  semantics. 

Theorem  5(deBakker12):  The  standard  partial  correctness  semantics  is  the  only  partial  correctness 
model  of  PCI-4. 

The  proof  is  in  Appendix  D. 

Again,  we  have  formulated  this  theorem  to  emphasize  our  view  of  PCI-4  as  uniquely 
specifying  a particular  partial  correctness  semantics. 


4 4 Relational  Models  for  Partial  Correctness  Specifications 

We  have  just  considered  FHI-5  and  PCI-4  as  direct  specifications  of  partial  correctness 
semantics.  We  now  take  the  more  usual  view  and  consider  FHI-5  and  PCl-4  as  specifications  of 
relational  semantics  according  to  their  relational  models.  Thus  we  can  rephrase  Theorems  2,  4 and 
5 in  part  by  saying  that  R is  a relational  model  of  TI-5,  FHI-5  and  PCI-4.13 

Notice  that  despite  Theorems  2 and  4,  we  cannot  say  that  R is  the  only  model  of  TI-5  or 
FHI-5.  For  example,  the  “empty"  semantics  which  assigns  the  empty  relation  to  every  program  is  a 
model  of  FHI-5,  and  the  semantics  which  assigns  the  "total"  relation  SxS  to  every  program  is  a 
model  of  TI-5. 

A set  of  pea’s  will  generally  fail  to  have  a unique  relational  model  because,  as  suggested  by 
the  quotation  in  Section  4.1,  pea’s  are  "anti-monotone"  in  the  following  sense.  If  M and  N are 
relational  semantics  then  we  shall  say  that  N is  larger  than  M iff  Na  d Ma  for  all  programs  a. 
Then  by  Definition  2 we  see  that  if  P{a)Q,  is  true  for  N,  and  N is  larger  than  M,  then  P{a)Q, 
is  also  true  for  M.  Thus,  since  R is  a model  of  FHI-5,  so  is  any  relational  semantics  smaller 
than  R.^ 

On  the  other  hand,  Theorem  4 and  Lemma  2 together  imply  that  R is  larger  than  any 
model  of  FHI-5,  so  we  can  conclude 

Theorem  6.  The  standard  relational  semantics  is  the  largest  relational  model  of  FHI-5. 

Similarly,  transition  assertions  are  "monotone"  in  the  sense  that  if  s(a)s'  is  true  for  M,  and 
N is  larger  than  M,  then  s(a)s'  is  true  for  N.  We  conclude  from  Theorem  2 that 

T heorem  7:  The  standard  relational  semantics  is  the  smallest  model  of  Tl-5. 
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In  particular,  Hoare  and  Lauer  [Theorem  4]  observe  that  HLI-5  Implies  the  first  four  Floyd- 
Hoare  rules  FHH  15  For  some  reason  they  do  not  consider  the  converse  question  of  whether  FHI-4 
implies  HLI-5.  In  fact,  it  does  not,  not  even  the  full  Floyd-Hoare  system  FH1-5  implies  HLI-5.  This 
is  because  any  M smaller  than  R is  a relational  model  of  FHI-5,  so  that,  for  example,  the  empty 
semantics  is  a model  of  FHI-5  but  not  of  HLI-5. 

However.  Hoare  and  Lauer's  proof  that  HLI-5  implies  FHI-4  actually  establishes  a slightly 
stronger  result  which  we  can  use  to  reveal  the  connections  between  HLI-5,  FHl-4,  and  R. 

An  inference  rule  such  as  any  of  FH3-5  or  T4-5  will  be  called  sound  for  a relational  semantics 
M.  if.  whenever  the  conditions  (such  as  those  for  T5)  for  applicability  of  the  rule  are  satisfied  and 
the  antecedent(s)  of  the  rule  is  true  for  M,  so  is  the  consequent.  In  other  words,  an  inference  rule 
is  sound  if  application  of  it  preserves  truth. 

Lemma  5:  If  M is  a model  of  FHI-2  and  the  inference  rules  FH3-4  are  sound  for  M,  then  M is  a 
model  of  FHI-5. 

Proof:  It  is  easy  to  see  that  FH5  is  sound  for  all  M l 

Theorem  9 R is  the  largest  relational  model  of  FHI-2  for  which  the  inference  rules  FH3-4  are 
sound. 

Proof.  We  let  the  reader  convince  himself  that  FH3-4  are  sound  for  the  standard  relational 
semantics  R (cf.  [Hoare  and  Lauer,  Theorem  4l).  Thus,  R is  "a*  model;  that  it  is  "the  largest" 
model  is  immediate  from  Theorem  6 and  Lemma  5.1 

Lemma  6(Hoare  and  Lauer):  Let  M be  a model  of  HLI-5.  Then  M is  a model  of  FHI-2  and  the 
inference  rules  FH3-4  are  sound  for  M 

We  shall  not  repeat  the  proof  (cf.  [Hoare  and  Lauer,  page  147]). 

Theorem  10.  R is  the  largest  model  of  HLI-5. 

Proof:  Immediate  from  Theorem  9 and  Lemma  6.1 

The  preceding  theorems  thus  reveal  the  sense  in  which  HLI-5  and  the  first  four  Floyd-Hoare 
rules  FHI-4  serve  as  semantical  specifications  equivalent  to  the  others  we  have  considered  --  a 
rather  obscure  technical  sense  which  was  left  implicit  by  Hoare  and  Lauer 

Our  point  here  is  that  while  we  agree  with  Hoare  and  Lauer  that  relationships  like 
implications  between  specifications  with  multiple  models  are  Important  ideas,  it  is  even  more 
important  to  have  a clear  understanding  of  the  family  of  models  which  are  to  be  regarded  as 
meeting  the  specifications  This  is  illustrated  by  the  fact  that  the  semantics  L of  Section  3.2  is  a 
relational  model  both  of  HLI-5  and  FHI-5,  yet  we  certainly  do  not  mean  to  accept  an 
implementation  of  our  language  in  which  all  oMi/e-loops  diverge. 


5 Predicate  Transformers 


There  is  yet  another  kind  of  semantics  found  tn  the  literature,  namely  predicate  transformer 
semantics.  Instead  ot  assigning  a set  ot  assertions  to  a program  as  ns  meaning,  one  can  assign  a 
function  on  predicates,  called  a predicate  transformer,  to  that  program  An  example  of  a predicate 
transtormer  is  [R]  tor  any  binary  relation  R on  states  This  transformer  maps  each  predicate 
into  its  weakest  antecedent  [R)Q.  Another  useful  transformer  is  <R>,  defined  as  transforming  any 
predicate  Q,  into  the  predicate 


The  transformer  which  has  received  much  attention  recently  is  Dijkstra's  weakest  pre- 
condition wf>a  The  predicate  wpa(Q)  is  described  by  Dijkstra  [1976,  p i6]  as 

"the  condition  which  rhararlrriirs  all  initial  Hale*  «uch  that  activation  will 
certainly  rcaull  in  a properly  terminating  happening,  leaving  the  system  in  a 
final  state  satisfying  [the  condition  0)  ..." 

We  shall  observe  (hat  for  wdi/r-programs,  if  the  primitive  instructions  A are  well-behaved, 
e g , tt  the  relations  are  in  fact  functions,  then  wpa  • <Ra>  This  will  enable  us  to  conclude  that 
in  such  cases  tup  yields  a predicate  transformei  semantics  which  is  equivalent  to  the  standard 
semantics  However  in  the  general  case  when  nondeterministic  primitive  instiuctions  occur,  tup 
semantics  is  incomparable  to,  i.e,  it  neither  determines  nor  is  determined  by.  the  standard 
semantics 

As  with  other  kinds  of  semantics,  predicate  transformers  can  be  specified  in  several  ways. 
We  exhibit  inductive  definitions  and  deductive  systems  specifying  wp  and  <R» 


M The  Weakest  Antecedent  and  Possible  Termination  Transformers 

The  standard  tutaktst  anttctdtni  transformtr  stmantics  associates  to  each  piogram  o the 
meaning  (Rjl  T hus  by  definition  it  is  determined  by  the  standard  relational  semantics. 
Conversely,  observing  that  (P,  Q)  holds  for  R iff  wp  - [R X*.  (c/.  Lemma  }>.  it  follows  that  the 
standard  partial  correctness  semantics  Is  determined  by  the  standaid  weakest  antecedent 
transformer  The  same  observation  reveals  that  we  may  define  the  weakest  antecedent  directly  in 
terms  of  pea’s  as  follows. 

[M^lQ. « VjP  | P{ajQ_  is  true  for  Ml 17 

Thus,  the  predicate  transformer  semantics  based  on  weakest  antecedent  carries  the  same 
information  as  relational  and  partial  correctness  semantics. 

The  predicate  «R'<^,  defined  to  be  — <R]— . can  be  described  informally  as  being  true  of  a 
state  s providing  that  it  is  always  possiHt  starting  in  state  s,  to  execute  a (generally 
nondeterministic)  program  with  initial-state,  final-state  relation  R and  halt  in  a state  in  which  Q,  is 
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true  We  refer  to  <R>  as  the  possible  termination  transformer  corresponding  to  R and  define  the 
standard  possible  lamination  transforma  as  associating  <Rfl>  with  a.  Again,  since 
(R]Q,-  ^<R>~<i  we  see  that  possible  termination  semantics  carries  the  same  information  as 
weakest  antecedent  semantics. 

To  summarize,  we  can  state 

Theorem  II  The  standard  weakest  antecedent  transformer,  possible  termination  transformer,  partial 
correctness,  and  relational  semantics  are  all  equivalent. 


5.2  Inductive  Definitions  of  the  Weakest  Pre-condition  and  Possible  Termination  Transformers 

For  the  class  of  while  programs  we  consider,  Dijkstra  [I976]18  clarifies  the  informal 
description  of  weakest  pre-conditions  quoted  above  by  giving  an  inductive  definition: 

WP1.  wpNQP(ty  - 

WP2.  wpab  - t»pa(wpb(Q)\ 

WPJ  luPwhtle  p do  aW  ’ vkHk 

where  Hq  - -«P  A Q,,  and 

Hk<|  - (P  A wpa(Hk))  V H q. 

If  we  assume  that  top^  is  given  for  all  primitive  instructions  A,  then  WPI-3  uniquely  define 
the  weakest  pre-condition  predicate  transformer.  In  particular,  when,  as  is  typically  the  case,  the 
primitive  instructions  are  functional,  we  expect  that  wpj  • <R The  intuition  behind  this  latter 
equation  is  that  it  is  appropriate  to  treat  an  instruction  as  primitive  only  if  it  is  sure  to  terminate 
whenever  there  is  a legal  termination  state  It  follows  that  if  an  instruction  can  possibly  terminate 
in  a state  satisfying  . i.e.,  if  vR^Q,  holds,  then  because  it  is  a primitive  instruction,  it  will 
certainly  terminate  in  some  state,  and  because  it  is  functional  this  state  of  termination  is  unique  and 
satisfies  Q,  . i.e.,  tvp^Q)  holds.  In  this  situation,  it  turns  out  that  weakest  pre-condition  and 
possible  termination  semantics  coincide  for  all  programs  of  the  simple  kind  we  have  been 
considering.2® 

Lemma  7.  If  top^  - <R for  all  primitive  instructions  A,  then  wpa  • <Ra>  for  all  programs  a. 

The  proof,  which  we  omit,  follows  directly  by  induction  on  the  structure  of  programs  from 
WPI-3  and  the  definition  of  <Ra>. 

As  a consequence  of  Lemma  7,  we  can  replace  ’wp"  by  *<R>*  throughout  WPI-3  thereby 
obtaining  an  inductive  definition  of  <Ra>. 
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5.3  Deductive  Specification  of  Possible  Termination 


hold,nv^ul'0n5  °f  «lr°rm  V P h0Wl  b'r°re  ex<cut,n«  «• then  « » possible  for  a to  halt  with  O 
olding  true  are  called  termination  assertions  and  are  abbreviated  P(a>Q.  Termination  assertions 

antecedents.'0  P°“  term,nat,on  formers  in  the  same  way  that  pea1*  correspond  to  weakest 

Definition  6.  Pi^K^is  true  for  the  relational  semantics  M iff  HP  - <Ma>Q). 

Thus,  we  have  immediately  that 

- V{P  | P(a)Q,  is  true  for  Mj, 

f°r  "rmm‘t,0n  IUer,,0ni  “ pr0V,d'^  * * ^e 

assertions  oTs^cnon^  'TT™  *“<r“0n‘  *"  * "itUral  valuation  of  the  transition 

E?o)E  whert  E ™ - 1™“"™  *U'rt,on  **  » “>  the  termination  assertion 

}{  )Ef>  here  Z}  is  the  equals  s predicate  true  only  in  state  s.  The  following  deductive  system 
correspondingly  generalizes  Tl-5.  6 1 


Axioms 

TAI  P(MOP)P, 

TA2.  OcR^sQX/lX^ 

T A3.  (-<P  l\Q)(while  p do  a)Q, 


Inference  Rules. 


TM  P(o)Q.'.Q.'(«Q.^P(a^)Q, 

TA5.  Q$a)Q«.  Qf  (while  p do  a)Q'i-  (Pl\Q)(while  p do  aXQ/ A-P>. 
T A6  P(a)Q. »-  (P  ’ APXaX<iVQ.' ); 


T A7.  P,(aX^ . P2(aKi  *-  (P, VPjXaXi 


It  is  easy  to  see  that  TAI-7  is  sound  for  the 
all  termination  assertions  true  for  R are  derivable, 
whose  antecedents  are  finite  are  derivable. 


standard  relational  semantics  R.  Although  not 
viz..  TAI-7  is  not  quite  complete,  those  assertions 


19 


Theorem  12.  Let  P be  a predicate  true  in  only  finitely  many  Mate*.  Then  P(«Xi»*  derivable  from 
TAI-7  iff  P(o)Q.i5  true  for  the  Mandard  relational  semantics. 

It  follows  immediately  that  TAI-7  suffices  to  determine  the  standard  possible  termination 
transformers. 

Corollary  13.  <Ra>Q.-  V{P  | P(a)Q.  € Th(TAl-7)}. 

It  is  interesting  to  note  that  a complete  system  can  be  obtained  by  extending  TA7  to  an 
infinitary  rule 

TA8.  {P,(c)Q.I  i € I)  ^ (V{Pj  | i c I}X«)Q, 
where  I is  any  index  set. 

Theorem  14.  The  termination  assertions  derivable  from  TAI-8  are  precisely  those  true  for  the 
Standard  relational  semantics. 

The  proofs  of  Theorems  12  - 14  are  in  Appendix  E.^* 


5.4  Weakest  Pre-conditions  of  Nondeterministic  Programs 

In  contrast  to  all  the  kinds  of  semantics  considered  so  far,  weakest  pre-conditions  for 
programs  with  nonfunctional  primitive  instructions  reflect  an  understanding  of  the  meaning  of 
programs  which  is  neither  determined  by  nor  determines  the  meaning  given  by  the  standard 
semantics. 

To  illustrate  these  differences,  let  A\  be  NOP,  let  A2  be  a primitive  instruction  which  resets 
every  state  to  a given  state  Jq,  and  let  Ay  be  a primitive  instruction  which  makes  a nondeterministic 
choice  between  behaving  like  A\  or  A%.  Thus, 

R ^ - I,  the  identity  on  states. 

- S x {s0J,  the  constant  function  mapping  any  state  s to  sq,  and 

%-R-<,UR^ 

Since  Al  and  A2  are  primitive  and  functional,  we  define 

"^,<Q)’<RV^‘<*’and 

wPASO)  ■ <R the  constant  predicate  with  value  Q£j0). 

Z Z 

In  order  to  define  the  weakest  pre-condition  transformer  for  a nonfunctional  primitive 
instruction  such  as  Ay,  we  rely  on  Dijkstra's  English  description  given  above,  combined  with  the 
intuitive  reasoning  indicated  before  Lemma  7.  Namely,  the  pre-condition  which  "will  certainly 
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result"  in  post-condition  Q,  after  execution  of  a primitive  instruction  A is  [R providing  that 
execution  terminates;  for  a primitive  instruction  we  expect  execution  to  terminate  whenever  there  is 
a final  state  related  to  the  initial  state,  that  is,  whenever  <R^>fru«  holds  Thus  we  define 


-CR^XiAfrue-^^Kl 

-QA  W22 


Let  a,  be  the  program  while  p Ho  A j,  for  i - 1,  2,  3 and  P 
that 


->Et  . Then  it  follows  from  Rl-3 
s0 


Ra,  * R-p  * 1(J0'50»-  and 

Ra2-Ra3-R^2's  x W- 
On  the  other  hand,  it  follows  from  WP3  that 

- wpafty  _ Ej0  A and 
wPa2(ty  - wPa2(Q)  ' QW- 

Now  we  see  that  the  initial-state,  final-state  relation  of  a program  cannot  in  general 
determine  its  weakest  pre-condition  transformer,  because  a2  and  a3  are  assigned  the  same  relation 
by  the  standard  relational  semantics,  but  define  distinct  wp  transformers.  Conversely,  the  utp 
transformer  of  a program  cannot  in  general  determine  its  initial-state,  final-state  relation,  because  aj 
and  a3  have  the  same  wp  transformer,  but  are  assigned  different  relations. 

The  reason  for  these  discrepancies  is,  roughly  speaking,  that  the  intended  interpretation  of 
how  a program  "can  certainly  [emphasis  added]  result  in  a properly  terminating  happening" 
reflected  in  WPI-3  requires,  in  addition  to  halting  states  being  possibly  accessible  and  all  such  states 
satisfying  proper  post-conditions,  that  there  be  no  possibility  of  "looping  or  failing  branches 
among  the  various  courses  of  a nondeterministic  computation  (cf.  [Harel  and  Pratt,  1978;  Harel, 
1978;  Hoare,  1978]).  Programs  a2  and  fl3  d,ffer  ,n  that  a3  al,ows  a possibility  of  infinite  looping,  so 
that  wpa<}  differs  from  wpa^  even  though  R„2  • Ra;}.  Similarly,  even  though  a3  can  halt  on  every 

state  and  aj  halts  only  on  sq,  from  the  point  of  view  of  certainty  of  proper  termination,  a3  is  no 
better  than  aj  because  a3  allows  looping  in  every  state  other  than  sq;  this  is  reflected  in  the  fact 
that  wpa^  - wpa^  even  though  Raj  » R^. 

It  is  possible  to  extend  the  notion  of  relational  semantics  so  that  looping  or  failing  is 
explicitly  indicated  by  the  presence  of  a special  state,  1,  with  certain  algebraic  properties  with 

respect  to  the  other  states.  With  some  care,  an  extended  relational  semantics  R1  can  be  defined 
inductively  with  the  result  that  the  extended  initial-state,  final-state  relation  of  a program  does 
Indeed  determine  its  wp  (cf.  [deBakker,  1978]).  However,  the  converse  difficulty,  that  wpa  does  not 

determine  either  Ra  or  Ra-*-  remains. 
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Satisfactory  deductive  or  axiomatic  charade.,  lions  of  t up  for  nondeterminlstlc  programs 
have  proven  difficult  to  devise  For  this  reason  among  others,  we  are  Inclined  to  agree  with  the 
arguments  in  [Harel,  1978,  Harel  and  Pratt,  1978]  that  the  semantical  ideas  implicit  In  xup  are  better 
treated  by  considering  weakest  antecedents,  possible  termination,  looping,  and  failing,  as  four 
separate  notions. 


6 Conclusion 

We  have  mainly  looked  at  three  kinds  of  semantics  --  relational,  partial  correctness  and 
predicate  transformer  --  and  several  ways  of  specifying  a semantics  --  inductive  definitions,  axiom 
systems,  deduction  systems  Each  semantics  was  specified  with  roughly  equal  economy  and  complete 
precision  in  several  of  these  ways.  There  was  no  particular  technical  problem  in  defining 
rigorously  how  specifications  determined  semantics,  although  there  were  three  or  four  different 
mathematical  mechanisms  used  to  connect  the  specifications  with  the  intended  semantics. 

The  standard  relational  and  partial  correctness  semantics  are  equivalent.  This  means  that 
the  set  of  all  partial  correctness  assertions  true  for  our  trivial  programming  language  gives  exactly 
the  same  information  as  the  relational  semantics.  (This  is  true  despite  the  fact  that  in  a certain 
narrow  technical  sense  partial  correctness  assertions  cannot  be  used  to  express  termination  of 
programs.)  Either  kind  of  semantics  can  be  specified  directly  using  an  axiom  system  or  a deductive 
system,  either  semantics  determines  the  other,  independent  of  means  of  specification.  For 
deterministic  programs,  similar  observations  were  made  about  predicate  transformer  semantics. 
However,  for  nondeterministic  programs  the  predicate  transformer  wpa  may  not  determine  or  be 
determined  by  the  initial-state,  final-state  relation  of  program  a.  Satisfactory  axiomatic  alternatives 
to  the  inductive  specification  of  wpa  have  not  been  found. 

It  may  be  worth  remarking  that  the  entire  preceding  development  extends  easily  to  the 
somewhat  richer  programming  language  considered  by  Lauer  [1971]  including  conditional  and 
nondeterministic  choice  statements,  blocks  with  local  variables,  and  nonrecursive  procedure 
declarations  and  calls 

Syntax  played  a limited  role  in  this  paper  Only  programs  were  syntactic  objects;  predicates 
were  treated  as  mathematical,  set-theoretic  objects.  The  next  refinement  of  the  study  begun  here 
involves  restricting  predicates  to  those  which  are  definable  in  some  agreed-upon  formal  notation, 
eg.,  first  or  second  order  logics  of  appropriate  structures.  When  we  restrict  predicates  in  this  way 
the  situation  becomes  more  complicated  --  and  more  interesting  --  and  the  conclusions  we  reached 
above  about  the  equivalence  of  various  kinds  of  semantics  must  be  modified  Thus,  there  are  cases 
where  the  set  of  all  true  definable  pea's  may  not  determine  the  proper  relational  semantics;  In  other 
cases  a restricted  deductive  theory  may  contain  only  a subset  of  all  true  definable  pea’s  and  yet 
determine  the  right  semantics.  We  postpone  to  a later  paper  further  discussion  of  the  restriction  to 
definable  predicates. 
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In  sum,  we  have  Illustrated  that,  from  a purely  formal  viewpoint,  attempting  to  specify  the 
meaning  of  a language  in  several  ways  can  be  made  to  work  --  at  least  for  very  simple 
programming  languages  when  we  --  unrealistically  --  place  no  restrictions  on  the  language  for 
expressing  predicates.  However,  care  had  to  be  taken  to  indicate  how  each  specification  was  to  be 
understood  before  it  could  be  applied  by  any  of  the  variety  of  possible  users. 
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Appendix  A. 


Proof  of  Theorem  1. 

Theorem  1:  The  standard  relational  semantics  is  the  only  model  of  HLI-7. 

Let  T be  the  set  of  transition  assertions  s(a)j*  true  for  a relational  model  T of  HLI-7.  We 
will  prove  by  induction  on  a that  (s,  j')  ( Ra  Iff  s(a)s'  c T.  Thus  T - R. 

If  a is  NOP  then  by  HL5,  s{NOP)s'  e T **  s - s'  •*  (s,  s')  € R ^qp-  Similarly  if  a is  a 
primitive  statement.  A,  then  by  HLI,  s(A)s'  c T •*  (s,  s')  c R^. 

If  a is  b,c  then  by  HL2,  induction,  and  R2, 

s(b;c)s ' c T 

iff  3t[s(b)t€T  A t(c)s'eT 3 
iff  Br[(s,  t)  € Rj  A (f,  s')  e Rft] 
iff(s,s')€  Rb»Rc 


i//0.j')€  R*,. 

The  case  of  while  statements  follows  directly  from  the  following  Lemmas  A1  and  A2. 

Lemma  Al:  If  (s,  s')  € Rw/,ut  p do  b then  P do  M*'  € T. 

Proof  We  need  the  following 

Definition  Al:  For  states  s,  s',  program  b and  predicate  P,  let  dlst^pis,  s')  be  the  least  nonnegative 
integer  k,  if  any,  such  that  there  is  a sequence  sq of  states  with  the  property  that 

(»)  ro  ” *• 

(li)  - s',  and 

(iii)  P(S|)  A (j|,  j(>l)  n for  all  nonnegative  integers  i<k; 

If  no  such  k exists  the  distance  dist^p  ( s,s ')  is  said  to  be  infinite. 

We  take  the  following  two  facts  as  obvious  from  Definition  Al.  First,  if  dtst^p(s,s’)  - n»l. 
then  P(s)  and  there  is  an  j|  such  that  (s,  i|)eRj  and  dlst^p(s^')  > n.  Second, 
(s,s‘)  e R pdobW  diitb,  P<J-  *')  **  fln,te  »nd 


C,  that  FHl-5  specifies  the  standard  partial  correctness  semantics.  Formally,  we  can  state 
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Lemma  Al  follows  by  induction  on  rfisty  p(s  4').  If  the  distance  is  zero,  then  s - s'  and  from 
the  second  fact  above  we  conclude  that  ->P(j).  Then  by  HL6,  s( wfillt  p do  b)s'  € T. 

By  the  first  fact  above,  if  <fisf£p(s,  s')  - n ♦ I we  have  P(s)  and  (s,  S|)  e Rj  for  some  S|  such 
that  <f/sfj,p(s|,  s')  - n.  From  (s,  j|)  e R4,  by  induction  we  have  s(b)s\  e T.  By  induction  on  n,  we 
have  s^uAile  p do  b)s'  € T Therefore,  by  HL7,  s(wAlle  p do  b)s'  e T.KLemma  Al). 

Lemma  A2 : If  s(wAile  p do  b)s‘  eT  then  (s,  s')  c p do  y 

Proof:  Let  QJf)  be  the  predicate  (s,  t)  € (Rp»Rj)*.  We  claim  that  Qfsj)  A P(sj)  A S|(5)i2  implies 
Q^sj).  This  follows  by  definition  of  Q,and  tne  fact  that 

J|(fc)s2  e T implies  (S|,  j2)  e Rj  by  main  induction  on  a. 

We  now  have  Q$s)  by  definition,  and  s(uiAile  p do  b)s'  eT  by  hypothesis.  By  HL*  and  the 
preceding  claim,  we  can  conclude  Q$s').  and  by  HL3  and  s(wAlle  p do  b)s'  c T,  we  have  -'P(s'). 

Now  Q$s ')  A iP(s')  implies  (s.  s')  e RuhiU  p do  b by  definition  of  R uMt  p do  ^KLernma 

A2). 
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Appendix  B. 


Proof  of  Lemma  2 

Lemma  2-.  Ma  - max  {(P.  Q)  | P{a}Q.ls  true  for  M). 

We  first  prove  the  claim  that  max(~ff)  is  the  maximum  relation  for  which  all  pairs  of 
predicates  in  . ff  hold. 

Definition  hi:  Let  R be  a binary  relation  on  states.  Then  define  .ffa  « l(P.  Q)  holds  for  R) 

Note  that  all  the  pairs  in  ,.ff  hold  for  R iff  c.fff^.  Thus  the  following  lemma 
establishes  the  preceding  claim. 

Lemma  hi.  R c max(.ff)  iff  ..ff  c*.^. 

Proof:  (only  if)  Suppose  (P,  P')  € Jf . Then  by  definition  of  max.  P(j)  - P'(s')  for  all 

(i.  s')  € max  (.  ff).  Thus,  if  R c max  (.ff).  then  P(j)  - P'(r')  for  all  (s.  s')  c R That  is.  by 

Definition  2.  (P,  P')  holds  for  R.  So  (P.  P')  c . 

(if)  Now  assume  (s.  s')  € R.  By  Definition  2.  P(j)  - P’(i')  for  all  (P.  P')  € ~ff%.  If 
Jfc  . ffa,  then  P(s)  •*  P'(i')  for  all  (P.  P')  c ..ff,  and  so  (s.  s')  c max(,  ff)  by  definition  of 
max.KLemma  Bl). 

Lemma  h2:  R ■ max  (,.ffa).  * 

Proof.  R c max  (.  ffyfl  by  Lemma  Bl.  To  show  equality,  suppose  (s,.  s2)  4 R.  Let  E,  be  the 

predicate  true  only  of  state  s.  Then  (E^,  “’E^)  holds  for  R,  so  (E^,  "’Ej^)  € “ ^ *n<*’ 

definition  of  max,  (sj,  s2)  4 max(.  f/fc).l(Lemma  B2). 

Note  that  if  M is  a relational  semantics,  then  • “ {(P>  Q)  I (P.  Q)  holds  for  Ma)  - 

{(P.  Q)  I P(a)<Lis  true  for  M},  so  Lemma  2 follows  Immediately  from  Lemma  B2 
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Proof  of  Theorem  4. 

Theorem  4.  The  set  of  pea's  derivable  from  FHI-5,  is  equal  to  the  set  of  pea's  true  for  the  standard 
relational  semantics. 

We  prove  by  induction  on  the  structure  of  programs  that  P{a)Q.true  for  R implies  PUJQ, 
derivable. 

If  PjA/OPiQ,  is  true  for  R,  then  by  Definition  2 and  Rl  we  conclude  that  P Implies  Q,.  via., 
*p  - Q,.  or  equivalently.  P V Q.-  Q.  Hence  P(NOP}Q,is  derivable  by  applying  FH5  to  the  FHI 
axiom  P{A/OPlP. 

If  P{/f)Q.  is  true  for  R,  then  by  Lemma  3,  P implies  [R^IQ,  so  PM}Q,  is  derivable  by 
applying  FH5  to  the  FH2  axiom  ([R^)Q)M}Q 

If  P|o;l>}Q.is  true  for  R.  then  P{a)([R{^Q)  must  be  true  for  R.  as  the  reader  can  verify  from 
Definitions  2.  4,  and  R2  Also.  ([Rfr]Q){f>}Q.is  true  for  R by  Definitions  2 and  4.  By  induction  we 
may  conclude  that  P{a}tfR<,]Q)  and  ([R^KDi&JQ,  are  derivable,  and  therefore  P{a^}Q.  is  derivable 
by  applying  FH3. 

Finally,  suppose  Pj{rt/Ai7e  p do  a}P2  i*  true  for  R.  Let  Q,-  tR^^  p jg  „]P2  Then  again  It 
follows  directly  from  the  definitions  that 

(1)  P|  implies  Q, 

(2)  Q,  A ->P  implies  P2,  and 

(3)  (Q.  A P)|a}Q,is  true  for  R. 

Then  by  induction,  we  conclude  from  (3)  that  (Q,  A P){a}Q,ls  derivable.  Applying  FH4.  we 
can  therefore  derive  QjwAi/e  p do  a)(Q,  A — <P>.  But  we  can  apply  FH5  to  the  latter  assertion  to 
derive  (P,  A Q){iohile  p do  a}(P2  V (Q,  A -<P))  which  by  (I)  and  (2)  is  the  same  as 
Pj{wAi/e  p do  a|P2 

We  omit  the  proof  that  FHI-5  is  sound,  i.e..  If  P{o}Q,is  derivable  then  PlaJQ^s  true  for  R.l 
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Appendix  D. 

Proof  of  Theorem  5. 

TAtortm  5:  is  the  only  partial  correctness  model  of  PCI-4. 

The  following  lemma  summarizes  some  facts  about  weakest  antecedent  which  are  used  in  the 

proof. 

Ltmma  Dl:  Let  R,  Rj,  and  R2  be  relations  on  states. 

(a)  3P*(HP-[R]P')  A HP'-Q))(/yKP-[R]Q). 

(b)  [R,][R2]Q- [R,oR2]Q. 

(c) HIR*]Q-Q ). 

<d)  HtR^lQ  - [R][R*]Q/ 

Proof  of  Dl.  (a).  The  implication  from  right  to  left  is  trivial  since  we  can  choose  P'  - Q.  The 
converse  follows  from  the  easily  verified  fact  that  [RXP'A  Q)  - [R]P*  A [RjQ,(c/.  [Pratt.  1976]). 

(b) .  Follows  from  Definition  4.  We  omit  the  details  (cf.  [Pratt,  1976]). 

(c)  and  (d).  Note  that  [R,UR2]Q.  [R|]QA  [R2]Q  Hence.  [R*]Q-  [I  U R«R*]Q.-  [I]Q  A [R*R*]Q 
- QA  [ReR^KLemma  Dl). 

Let  . //be  any  partial  correctness  model  of  PCI-4.  We  show  that  ■ Ra  by  induction  on 
the  structure  of  program  a. 

(P.  Q)  c J<N0P  iff  (by  Def.  5)  P{AfOP}Qis  true  for  Jf  iff  (by  PCI)  HP  - Q)  ijf  ( by  Def.  2 
and  Rl)  (P,  Q)  c 

(P.Q)  e . «A  iff  (by  PC2  and  Def.  5)  HP  - [R  ^]Q)  iff  (by  Defs.  2 and  Lemma  3)  (P,  Q)  € % 
Suppose  a - fcc.  Then  (Q,  Q')  « .V/a 
iff  (by  PC3  and  Def.  5)  3P'«Q.  P')  e . / \ A (P',  Q')  c JQ 
iff  (by  Induction)  3P'((Q.  P')  € i#b  A (P\  Q)  € 
iff  (by  Def.  2 and  Lemma  3)  3P'((wQ>-[Rfr]P')  A HP'-  [RC)Q')) 
iff  (by  Lemma  Dl  (a))  HQ.  - KfrlOW) 


• ciauonai  model  both  of  HLI-5  and  phi-*  ' , . *c,"*n,,cs  ^ of  Section  3.2  is  a 

implementation  of  our  language  in  Which  110  ™ 
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iff  (by  Lemma  01  (bn  *-(Q.  - [R^R.-JQ.*) 

iff  (by  R2.  Lemma  3,  and  Off  2)  (l>  , <J/)  c . 

We  need  the  following  two  lemmas  lor  the  case  of  a « wAi/e  p do  b 

Lemfiu  02  (C>  . Q.*)  e • ,,  do  f. 

P)  • (R/.Ki.’f  A wfQ.  - q.*)  A H(Q.*A-P)  - q/)) 

Proof  of  D2  (Q..  Q.')  * p do  A 

i//  -fQ.  - IR„Ai.V  p do  hM.*) 

<//(by  R3)  HQ.-  URp'R^R-^,)^) 

if/  (by  Lemma  01  (b))  -*  (tRp»Rf,V')(R  _^Ki' 

iff  (by  Lemma  01  u»  3Q.,(*tQ  - f(Rp*R^"K^)  A HQj  - [R^jq')). 

Since  IR  ,pXv  •».  by  Defmmon  4,  equivalent  to  ->P  •*  Q/  . this  last  formula  Is  equivalent  to 

J»^!H<H(Rp«Rj.>"KV  A H(Q.|A-P)-q/)) 

Let  q*  • URp'Rf.V  K^j  whete  Qj  is  a predicate  whose  existence  is  guaranteed  by  the  previous 
formula  Then  by  definition  of  q*.  w\q  - q')  By  Lemma  D1  (c),  KQ,*-  Qj)  This  fact  and 
H(lJj  A-P)  - q-).  imply  that  **\(q'A->P)  -•  q*)  Thus  we  need  only  show  that  K(q*AP)  -• 
[Rf.Ki'O  By  Lemma  01  (d).  Hq*  - [Rp'Rf.Ki').  which  by  Lemma  Dl  (b)  and  Definition  4 
implies  Hiq'AP)  • IR^Xi’l  Itl  emma  021 

Lrmmu  0 » (q.  q* W \,M(  p wo  ^ implies 

-’3Q,'(K(Li*AP)  - [RjkKiM  A KC>  ‘ Li')  A H(q*A-sP)  - q')) 

Proof  of  Dl  If  (Q. . Q.1'  < . p Wo  l<  *l'fn  l*Y  Definition  2.  there  exists  s,s'  satisfying 

(t)  Qis)/\uy)*Kn,MtVdob*-wy 

Since  (r. .«')  * Rw^j#  p Wo  b wr  l,av*  -’RD’)-  *nd.  as  we  observed  in  Appendix  A.  there  is  a 
sequence  of  states  s^.  . s^  such  that 

(0  «o  * 

(ii)  • s',  and 

(til)  P(j,I  A (j,.  *,„)  c R^  for  all  nonnegative  integers  (<k. 


Now  assume  q'  satisfies 


(V)  K(Q.'AP)  - [R^').  and 

(vi)  K(Q,*A->P)  - Q.') 

If  k-0,  then  w\  «>  ->P(j).  (iv),  and  (vi)  together  Imply  tys)  - QJ(s'),  which  contradict*  (t). 

If  k>0,  then  by  (t)  and  (iv)  we  have  Q,'(jq)  By  (iii)  and  (v)  we  conclude  Q ’(st)  for  l^k. 
Then  -<  P(i').  (ii).  and  (vi)  imply  QJ(s'),  again  contradicting  (t)KLemma  D3). 

We  can  now  complete  the  proof  of  Theorem  5. 

Suppose  a » vthil*  p do  b.  Then  (Q,  QJ)  € ~//a 
<//( by  PC4)  ^'[((PAQ.').  Qf)  £ J/b  A HQ.  - Q.*)  A w((Q_-A-P)  - Q.')l 
iff  (by  induction)  3<i'K(PA<i*).  Q?)  £ A Q.')  A K(Q.'A-,P)  - Q.')] 
iff  BQ,"(H(PAQ.*)  - [RfrKl')  a KQ,-  Qf)  A K(q;  A -P)  - Q.')] 
iff  { by  Lemmas  Dl  and  D2)  (Q..  Q.')  £ KTheorem  5) 
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Appendix  £. 


Proofs  of  Theorem  12,  Corollary  13,  and  Theorem  14. 

Theorem  12.  Let  P be  a predicate  true  in  only  finitely  many  states.  Then  PfaX^is  derivable  from 
TA1-7  iff  P(a)Q,is  true  for  the  standard  relational  semantics. 

In  what  follows,  truth  of  termination  assertions  will  be  counted  with  respect  to  R,  and 
derivability  with  respect  to  TAI-7. 

Soundness  of  the  system  TAI-7  follows  directly  from  the  definitions.  That  is,  if  Q$a)Q'  is 
derivable,  then  it  is  true.  We  omit  details  of  the  proof. 

Conversely,  we  prove  completeness  for  termination  assertions  with  finite  antecedents  by 
induction  on  program  structure.  Namely,  if  Q$a)QJ  is  true  and  Q,  is  finite,  then  Q$a)QJ  is 
derivable. 

If  a is  NOP  or  a primitive  statement,  then  all  true  assertions  Q fa)Q,'  are  obviously  derivable 
from  TA1,  2 and  6. 

If  a is  b\c  and  Q$b-,c)QJ  is  true,  then  by  TR2  and  Definition  6 of  termination  assertions,  there 
is,  for  every  state  s such  that  Q$s),  a state  sequence  s...s'...s'  such  that  QJ(s'),  s...s'  c Tr^,  and 

e Trc.  Let  Qf  = V{Ej«  | Q^s)}.  Note  that  if  Q,is  finite,  so  is  Qf.  Moreover,  and 

Q„"(c)Q.are  true,  and  so  by  induction  hypothesis  they  are  derivable.  But  then  Q faKl'  is  derivable 
from  them  by  TA4. 

If  a is  while  p do  b,  we  first  observe  that  if  Es(a)Zt  is  true,  then  it  is  derivable.  For  if  Es{a)Et 
is  true,  then  as  in  the  proof  of  Lemma  A1  we  have  either 

(i)  distf,  p(s,i)  - 0,  so  s - t and  -<P(s),  and  therefore  Es{a)Et  is  derivable  by  TA3,  or 

(ii)  dislff  p(s,f)  - n*l,  Ej(6)Ej  is  true,  E^(a)Ef  is  true  and  dist b p(sj,t)  - n,  for  some  state 
ij-  Then  by  induction  on  n,  E^IaJE,  is  derivable,  and  by  the  main  induction 
hypothesis  E^WE^  is  derivable,  and  therefore  (PAE^XE/  A-iP)  is  derivable  from 

TA5.  But  since  dist^jt(s,t)  > 0,  we  have  P(s),  and  hence  PAE,  ■ Es.  Also  since 
E^IaJEj  is  true,  we  have  — <P(f)  and  hence  E,  A -iP  - E^.  Therefore  Es(a)Et  is 
derivable. 

Finally,  if  C#a)QJ  is  true,  then  it  follows  by  definition  that  for  every  s such  that  tys),  there  is 
a / such  that  Q/(t)  and  E;(a)E,  is  true.  By  the  preceding  observation  E/a)E(  is  derivable,  and 
hence  Es(a)Qj  is  derivable  by  TA6.  But  Q,  - V{Ej  | Q^s)},  so  if  Q,  is  finite,  then  Qfe) Q,'  is 
derivable  by  TA7  from  {Ej(a)Q/  | Q(s)}.l(Theorem  12). 
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Corollary  IS.  <R„>Q.-  V|P  | P(a)Q,€  Th(TAI-7)}. 

Proof:  (<R  a>Qfs)  iff  (by  definition  of  <Rtf>)  3f[(j,r)  € Ra  A Q(f)] 
iff  (by  Definition  6)  Ej(a)Q.is  true 
iff  (by  Theorem  12)  Ej(a)Q.is  derivable 
iff  (by  T A6)  3P[P  A Ej  • E,  and  P(a)Q  is  derivable] 
iff  the  righthand  predicate  is  true  of  s.KCorollary  13). 

Thtortm  14:  The  termination  assertions  derivable  from  TAI-8  are  precisely  those  true  for  the 
standard  relational  semantics. 


Proof  Soundness  of  TA8  follows  immediately  from  the  logical  equivalence  of  Vt[P(  -»  QJ  and 
3i[p,]  - a 


To  prove  completeness,  assume  P(a)Q.  is  true.  Then  ts(a)Q_  is  true  for  all  s such  that  P(s), 
and  so  is  derivable  by  Theorem  12.  But  since  P » V|Ej  | P(r)),  we  can  derive  P(a)Q,  by 
TA8.KTheorem  14). 
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1.  In  a later  paper  Hoare  [1978]  emphasizes  the  verification  aspects  of  proof  rules  rather  than  their 
use  as  a means  of  specifying  semantics  However,  it  is  the  latter  use  on  which  we  focus  here. 

2.  We  avoid  the  use  of  the  word  "nondeterministic*  here  because  nondeterminism  is  a property  of 
how  final  states  are  computed  from  initial  states,  rather  than  merely  being  a property  of  which 
initial  states  map  to  which  final  states  Nonfunctional  relations  can  only  arise  from 
nondeterministic  programs,  but  functional  relations  do  not  necessarily  arise  only  from  deterministic 
programs 

3.  We  emphasize  that  in  this  paper  predicates  are  mathematical  objects,  not  to  be  confused  with 
expressions  denoting  them 

This  definition  is  essentially  taken  from  Pratt’s  [1976,  Section  3.1,  p.  115]  definition  of  Vary 
relation  semantics" 

5.  Technically  speaking.  HL1-5  are  axiom  schemes  in  which  a,  b may  be  any  programs,  Q.any 
predicate,  etc. 

6.  Pea’s  are  usually  defined  to  be  wholly  syntactic  objects,  namely,  to  be  of  the  form  p{a}q  where  p. 
q are  predicate  expressions.  Similarly,  in  the  thesis  on  which  the  Hoare  and  Lauer  paper  is  based, 
Lauer  [1971,  p 67]  defines  a syntactic  version  of  partial  correctness  semantics.  Namely,  he  associates 
with  each  program  a certain  set  of  pairs  of  predicate  expressions. 

However  none  of  the  theory  we  treat  in  this  paper  depends  on  the  syntax  of  the  expressions 
used  for  predicates,  and  for  this  reason  it  is  simpler  to  let  the  predicates  themselves  appear  as 
components  of  pea’s.  In  this  way  we  avoid  having  to  introduce  rules  for  syntactic  manipulation  of 
expressions,  and  also  avoid  problems  arising  from  the  fact  that  certain  predicates  may  not  be 
definable  using  a particular  class  of  expressions.  We  plan  to  treat  these  latter  problems  in  a later 
paper  (cf.  Section  6,  third  paragraph). 

7.  A similar  observation  is  made  by  Pratt  [1976,  section  1.2]. 

8.  Indeed,  partial  correctness  semantics  are  potentially  richer  than  relational  semantics  because  not 
all  partial  correctness  semantics  are  derived  from  relational  semantics.  Put  formally,  any  relation, 
» ft.  on  predicates  must  be  contained  in  1(P.  Q)  | (P.  Q)  holds  for  max  (^//)}_  but  the  containment  is 
proper  in  general.  Such  an  . //does  not  correspond  to  the  set  of  all  partial  correctness  assertions 
true  for  any  single  relation  on  states.  We  shall,  however,  make  no  use  in  this  paper  of  partial 
correctness  semantics  which  are  not  equivalent  to  relational  semantics. 


9.  The  "box"  notation  is  taken  from  the  "necessity’  operator  of  modal  logic  following  the 


respcti  iu  me  umu 

inductively  with  the 
indeed  determine  its 


— 

result  that  the  extended  initial-state,  final-state  relation  of  a program  does 
wp  ( cf.  [deBakker,  1978]).  However,  the  converse  difficulty,  that  wpa  does  not 


determine  either  Ra  or  remains. 
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*ugg**tion  of  Pratt  [1976]  Dijkstra  [1976]  refers  to  weakest  antecedents  as  weakest  liberal  pre- 
conditions Schwarz  [1974]  called  them  exact  semantic  backward  connections. 

10.  Hoare  and  Lauer  omit  FHI  --  a minor  oversight.  Their  D3  is  misprinted,  but  it  is  clear  from 
their  Lemma  9 that  they  intended  to  state  FH4 

11.  In  Lauer 's  thesis  [1971]  a "rule  of  consequence"  equivalent  to  FH5  is  included. 

12.  Theorem  5,  in  particular  the  characterization  of  while  statements  by  PC4.  is  implicit  in  Lemma 
2.3  of  deBakker  [1975]. 

13.  Technically  speaking,  we  should  say  that  B is  a model  of  Th(FHl-5)  and  Th(Tl-5)  where 
Th(./’)  refers  to  the  set  of  theorems  deducible  in  deductive  system 

14.  This  seems  to  be  the  technical  content  of  the  frequently  heard  remark  that  pea’s  cannot  be  used 
to  assert  termination,  ( cf.  eg.  [Hoare,  1969],  [Manna,  1974],  [Pratt,  1976]).  The  remark  is  correct,  but 
must  not  be  misinterpreted  as  implying  that  pea’s  are  an  inherently  inadequate  means  of  specifying 
semantics.  As  we  have  seen  in  Lemma  2,  the  complete  set  of  true  pea’s  uniquely  determines  R 
despite  the  anti-monotonicity  of  pea’s. 

15.  Hoare  and  Lauer  refer  to  "theorems,  proved  in  the  relational  theory",  rather  than  mentioning 
models  explicitly.  They  do  not  offer  rules  of  inference  for  proving  theorems  from  H LI-5,  although 
Lauer  [1971]  indicates  by  example  that  he  intends  the  usual  rules  of  predicate  calculus  to  be  applied. 
We  prefer  the  more  general  definition  of  consistency  (implication)  we  have  formulated  in  terms  of 
models,  since  this  definition  is  not  vulnerable  to  failures  springing  from  the  frequently  unavoidable 
incompleteness  of  effective  inference  rules.  If  we  assume  that  a complete  set  of  inference  rules  are 
available,  or  alternatively  if  we  use  the  model-theoretic  notion  of  theorem,  namely,  an  assertion  is  a 
theorem  when  it  is  true  of  all  models  of  the  axioms,  then  their  formulation  of  consistency  is 
equivalent  to  ours. 

16.  Note  that  although  FHI-4  specify  R according  to  the  technical  hypotheses  of  Theorem  9,  it  is 
not  true  that  Th(FHl-4)  - Th(FHI-5),  or  even  that  R is  the  largest  model  of  Th(FHl-4). 

We  regard  the  characterization  of  R in  Theorem  10  as  subtle  because  there  is  no  particular 
reason  to  look  at  largest  models  in  the  context  of  an  axiomatization  like  HLI-5.  Indeed,  we  saw  chat 
by  adding  HL6-7  only  one  model  is  possible,  so  there  is  no  reason  to  expect  or  rely  on  a condition 
like  maximality  to  force  uniqueness. 

17.  A similar  observation  is  made  by  Raulefs  [1977,  Lemma  2-1,  p.  Ill 

18.  Dijkstra's  definitions  can  be  found  on  pp.  25,  30  and  35.  Our  WP3  can  be  obtained  from 
Dijkstra’s  definition  of  the  do...od  construct  (p.35)  by  noting  that  while  p do  a is  equal  to 
do  p -»  a od. 


19.  Note  that  for  programs  which  are  not  primitive  statements,  the  restriction  that  Rfl  be  a function 
is  not  sufficient  to  ensure  <Ra>  - wpa  (cf.  the  examples  in  section  5.4). 

20.  Lemma  7 does  not  generalize  much  beyond  the  trivial  class  of  while  programs  we  are 
considering.  In  particular,  when  nondeterministic  program  constructs  such  as  guarded  commands 
are  allowed  in  programs,  Lemma  7 does  not  hold. 

21.  Recapitulating  the  developments  in  earlier  sections,  we  could  regard  TAl-7  or  TA1-8  as 
specifying  the  standard  relational  models  rather  than  possible  termination  transformers.  Indeed 
Theorem  7 together  with  Theorems  12  and  14  immediately  imply  that  R is  the  smallest  relational 
model  of  TAl-7  and/or  TA1-8.  Since  termination  assertions,  like  transition  assertions,  are  monotone, 
we  cannot  hope  to  determine  R as  the  unique  model  of  TAI-8. 

However,  note  that  by  fashioning  a deductive  system  involving  both  pea’s  and  termination 
assertions,  using  FH1-5  and  TAl-7  for  example,  one  can  obtain  R as  the  unique  model.  Our  point 
here  is  that  there  is  no  special  inadequacy  of  deductive  specifications  which  prevents  them  from 
determining  a unique  model. 

22.  Alternatively,  we  can  reach  the  same  definition  of  by  regarding  A%  as  the 

nondeterministic  join  of  A\  and  That  is,  using  Dijkstra's  guarded  command  notation,  A$  is 
equivalent  to  if  true+Aj  II  fi* so  that  WPA$  “ wPAy  a ®Ukstra>  *976,  p.34l 
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